In October last year, the Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbor agreement. Concern had been mounting for some time that the agreement failed to provide adequate protections for EU citizens’ private data located in, or transferred to, the United States. The decision means that the most commonly used data transferring method between the EU and the US – allowing for over 4000 companies to store and process data in the US – is no longer an option. Until agreement is reached on the exact nature of the new Privacy Shield, there is no global, over-arching framework in place to allow the transfer of personal data belonging to EU citizens out of the region – and that companies face the risk of potential fines and prosecutions if they do so.
The impact for companies is very significant as, until the new Privacy Shield is in place, the CJEU ruling requires for them to obtain each EU citizen’s explicit consent before moving their personal data to the US – this includes such information as their name, email or home address, employee’s HR data and health-related information or any documents containing such details. In practical terms, this has implications across Europe for the way in which hospitals, for example, store patient data, businesses archive HR information, and subsidiaries share internal and external data with their US-based parent organisations.
Without Safe Harbor, US companies will have to be up-to-speed on the individual data protection policies in individual European countries – particularly Germany, France and Switzerland, which have the most stringent rules – especially in the context of civil and criminal investigation and litigation. Taking Germany as an example – following the CJEU decision, if or when a US-based company needs to transfer data from Germany to the US, it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and/or ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT).
In France, US companies will have to consider blocking statutes – and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws – before transferring data out of the country. The UK’s Data Protection Act and Italy’s Data Protection Code also make data transfers difficult and need to be adhered to on a case-by-case basis. Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines. It is therefore vital for companies to conduct self-assessments and ensure compliance with interim data protection legislation with individual EU countries and, longer term, make sure that they have the procedures and infrastructure in place to comply with the forthcoming EU legislation.
With suggestions that the EU Council are making plans to allow fines to be imposed of up to €1 Million or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100Million or 5% of global turnover, it is critical that companies act now and keep on the right side of Europe’s new data protection laws. The abandonment of Safe Harbour and confusion around Privacy Shield while the mechanism is finalised only serves to demonstrate the importance of long-term and consistent observance and monitoring of local data protection laws and policies for companies of all sizes.
But that’s not the only piece of legislation on the table. On 14th April, the EU Parliament also formally adopted the General Data Protection Regulation (GDPR). This is another, separate legislative step intended to modernise and overhaul the the EU’s many different data protection laws. The next step will be for the GDPR to be officially published, translated, and put to print in the Official Journal of the European Union, probably in June. Less than a month after that, the two-year countdown to the GDPR taking effect will commence. As the GDPR reaches the end of this lengthily acceptance and adoption process, it’s worth remembering that it too will strengthen an EU citizen’s control over their personal data, giving new rights, such as the right to data portability and the right to be forgotten – and put a strain on any transatlantic data transfer agreements.
FRA’s position has always been to treat local data protection and transfer laws as a priority and first point of reference for any business wishing to store or transfer sensitive customer or employee data – but now it’s even more important. Ultimately, it is the national privacy regulators and European judges who are responsible for determining whether transfers could or should have been made (and whether they were done appropriately) not the US Department of Commerce or the Commission.
We can accelerate your compliance with GDPR and do so in a way that helps your security posture. For more see OODA LLC
More reporting:
If You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What Would It Be?
What The Board Needs To Know About the GDPR